Refurbished BlackEnergy does Windows and Linux—even Cisco routers.

Share this story

Researchers have discovered new capabilities in the BlackEnergy crimeware tool that significantly extend its reach. The ability to run on network devices, steal digital certificates, and render infected computers unbootable are just a few of new-found weapons in its arsenal.

BlackEnergy emerged as a tool for launching denial-of-service attacks. It later morphed into crimeware used to funnel banking credentials and most recently was observed as a refitted piece of software for espionage that targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year. In this last incarnation, BlackEnergy in some cases was installed by exploiting a previously unknown vulnerability in Microsoft Windows systems.

According to a report published Monday by security firm Kaspersky Labs, the breadth of BlackEnergy goes even further. A host of extensions customized for both Windows and Linux systems contain commands for carrying out DoS attacks, stealing passwords, scanning ports, logging IP sources, covertly taking screenshots, gaining persistent access to command and control channels, and destroying hard drives. Researchers Kurt Baumgartner and Maria Garnaeva also acquired a version that works on ARM- and MIPS-based systems and uncovered evidence BlackEnergy has infected networking devices manufactured by Cisco Systems. They are unsure precisely what the purpose is for some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS, motherboard, and processor of infected systems.

"We are pretty sure that our list of [BlackEnergy] tools is not complete," the researchers wrote. "For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files."

BlackEnergy has targeted victims in at least 20 countries, including Russia, Germany, Belgium, Turkey, Libya, and Vietnam. One unidentified victim was infected through a spearphishing campaign that exploited an unspecified vulnerability. Once the unknown attackers had reason to believe the victim knew of the infection, they activated "dstr," the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim.